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Abstract 

This paper introduces a new proof calculus for differential dynamic logic (dC) that is en¬ 
tirely based on uniform substitution, a proof rule that substitutes a formula for a predicate 
symbol everywhere. Uniform substitutions make it possible to rely on axioms rather than ax¬ 
iom schemata, substantially simplifying implementations. Instead of subtle schema variables 
and soundness-critical side conditions on the occurrence patterns of variables, the resulting cal¬ 
culus adopts only a finite number of ordinary d£ formulas as axioms. The static semantics of 
differential dynamic logic is captured exclusively in uniform substitutions and bound variable 
renamings as opposed to being spread in delicate ways across the prover implementation. In 
addition to sound uniform substitutions, this paper introduces differential forms for differential 
dynamic logic that make it possible to internalize differential invariants, differential substitu¬ 
tions, and derivations as first-class axioms in d C. 

Keywords: differential dynamic logic, uniform substitution, axioms, differentials, static se¬ 
mantics 


1 Introduction 

Differential dynamic logic (d C) [210 is a logic for proving correctness properties of hybrid sys¬ 
tems. It has a sound and complete proof calculus relative to differential equations [J5] 0 and a 
sound and complete proof calculus relative to discrete systems [0. Both sequent calculi fl5]| and 
Hilbert-type axiomatizations [0 have been presented for d C but only the former has been imple¬ 
mented. The implementation of d£’s sequent calculus in KeYmaera [fTTII makes it straightforward 
for users to prove properties of hybrid systems, because it provides rules performing natural de¬ 
compositions for each operator. The downside is that the implementation of the rule schemata and 
their side conditions on occurrence constraints and relations of reading and writing of variables as 
well as rule applications in context is nontrivial and inflexible in KeYmaera. 
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The goal of this paper is to identify how to make it straightforward to implement the axioms 
and proof rules of differential dynamic logic by writing down a finite list of axioms (concrete 
formulas, not axiom schemata that represent an infinite list of axioms subject to sophisticated 
soundness-critical schema variable matching implementations). They require multiple axioms to 
be combined with one another to obtain the effect that a user would want for proving a hybrid 
system conjecture. This paper argues that this is still a net win for hybrid systems, because a 
substantially simpler prover core is easier to implement correctly, and the need to combine multiple 
axioms to obtain user-level proof steps can be achieved equally well by appropriate tactics, which 
are not soundness-critical. 

To achieve this goal, this paper follows observations for differential game logic [[9J that high¬ 
light the significance and elegance of uniform substitutions, a classical proof rule for first-order 
logic flSl §35,40]. Uniform substitutions uniformly instantiate predicate and function symbols with 
formulas and terms, respectively, as functions of their arguments. In the presence of the nontrivial 
binding structure that nondeterminism and differential equations of hybrid programs induce for the 
dynamic modalities of differential dynamic logic, flexible but sound uniform substitutions become 
more complex for d£. but can still be read off elegantly from its static semantics. In fact, dC’s static 
semantics is solely capturccQ in the implementation of uniform substitution (and bound variable 
renaming), thereby leading to a completely modular proof calculus. 

This paper introduces a static and dynamic semantics for differential-form dC, proves coin¬ 
cidence lemmas and uniform substitution lemmas, culminating in a soundness proof for uniform 
substitutions (Section]!]). It exploits the new differential forms that this paper adds to dC for in¬ 
ternalizing differential invariants |0, differential cuts © HI, differential ghosts [j8]|, differential 
substitutions, total differentials and Lie-derivations (6] [8) as first-class citizens in d£, culminat¬ 
ing in entirely modular axioms for differential equations and a superbly modular soundness proof 
(Section]!]). This approach is to be contrasted with earlier approaches for differential invariants 
that were based on complex built-in rules |6l[8]|. The relationship to related work from previous 
presentations of differential dynamic logic [j5]|7) continues to apply except that d£ now internalizes 
differential equation reasoning axiomatically via differential forms. 


2 Differential-Form Differential Dynamic Logic 

2.1 Syntax 

Formulas and hybrid programs (HPs) of d£ are defined by simultaneous induction based on the 
following definition of terms. Similar simultaneous inductions are used throughout the proofs for 

d£. The set of all variables is V. For any V C V is V' = \xf : x € V} the set of differential 
symbols x' for the variables in V. Function symbols are written /, g, h, predicate symbols p, q, r, 
and variables x,y, z € V with differential symbols x', y', z' € V. Program constants are a, b, c. 

1 This approach is dual to other successful ways of solving the intricacies and subtleties of substitutions EH by 
imposing occurrence side conditions on axiom schemata and proof rules, which is what uniform substitutions can get 
rid of. 
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Definition 1 (Terms). Terms are defined by this grammar (with 9,7], 6 1 ,..., 9 k as terms, x e V as 
variable, x' G V differential symbol, and / function symbol): 

9,t] ::= x\x'\ f(9 l ,...,9 k ) | 9 + r] | 9-r] | (0)' 

Number literals such as 0,1 are allowed as function symbols without arguments that are always 
interpreted as the numbers they denote. Beyond differential symbols x', differential-form 6C allows 
differentials ( 9)' of terms 9 as terms for the purpose of axiomatically internalizing reasoning about 
differential equations. 

Definition 2 (Hybrid program). Hybrid programs (HPs) are defined by the following grammar 
(with a, /3 as HPs, program constant a, variable x, term 9 possibly containing x, and formula w of 
first-order logic of real arithmetic): 

a, (3 ::= a \ x := 9 \ x' := 9 \ ?0 \ x' = 9 & 0 \ a U (3 | a; (3 \ a* 

Assignments x := 9 of 9 to variable x, tests ‘hi) of the formula 'if in the current state, differential 
equations x' = restricted to the evolution domain constraint 'if, nondeterministic choices 

aU (3, sequential compositions a: (3, and nondeterministic repetition a* are as usual in dC [017). 
The effect of the differential assignment xf := 9 to differential symbol x' is similar to the effect 
of the assignment x := 9 to variable x, except that it changes the value of the differential symbol 
x' around instead of the value of x. It is not to be confused with the differential equation xf = 9, 
which will follow said differential equation continuously for an arbitrary amount of time. The 
differential assignment x' := 9, instead, only assigns the value of 9 to the differential symbol x' 
discretely once at an instant of time. Program constants a are uninterpreted, i.e. their behavior 
depends on the interpretation in the same way that the values of function symbols / and predicate 
symbols p depends on their interpretation. 

Definition 3 (d£ formula). The formulas of (differential-form) differential dynamic logic (d£) 
are defined by the grammar (with d C, formulas 0, if, terms 9, //. 9\,..., 9 k , predicate symbol p, 
quantifier symbol C, variable x, HP cc): 

0, f) ::= 9 >7] | p(9i,.. . , 9 k ) \ C(<f) \ \ 0 A 0 | \/x 0 | =te 0 [a]0 | (a)0 

Operators >, <, <, V, —>, xx are definable, e.g., 0 —> 0 as ->(0 A ->0). Likewise [a]0 is equiv¬ 
alent to _l ( a ) _ '0 and V.r 0 equivalent to -i3x -i0. The modal formula [a]0 expresses that 0 holds 
after all runs of a, while the dual (cc)0 expresses that there is a run of a after which 0 holds. 
Quantifier symbols C (with formula 0 as argument), i.e. higher-order predicate symbols that bind 
all variables of 0, are unnecessary but internalize contextual congruence reasoning efficiently. 

2.2 Dynamic Semantics 

A state is a mapping from variables V and differential symbols V to M. The set of states is denoted 
S. Let u r x denote the state that agrees with state v except for the value of variable x, which is 
changed to r G M, and accordingly for if, . The interpretation of a function symbol / with arity n 
(i.e. with 7i arguments) is a smooth function 1(f) : W 1 —> M of n arguments. 
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Definition 4 (Semantics of terms). For each interpretation I, the semantics of a term 6 in a state 
v G S is its value in M. It is defined inductively as follows 

1. lx] ! u = u(x) for variable igV 

2. [a :';' 1 v = is(x') for differential symbol x' 6 V ' 

3. If (0i ,... ,O k )fu = 1(f) ({6 ifv ,..., {6k} 1 u) for function symbol / 

4. {6 + 7ifv = I Ofv+lrifv 

5. [0-7?]V= [0]V [rifv 


6 - {(6)'] 1 v = ^v(x') d ^(v) = ^2v(x' 


,dm j 




dX 


Time-derivatives are undefined in an isolated state u. The clou is that differentials can still be given 
a local semantics: |(<9) , ]| 1 a is the sum of all (analytic) spatial partial derivatives of the value of 6 by 
all variables x (or rather their values A") multiplied by the corresponding tangent described by the 
value v(x') of differential symbol x’. That sum over all variables x <E V has finite support, because 
6 only mentions finitely many variables x and the partial derivative by variables x that do not occur 
in 6 is 0. The spatial derivatives exist since \d\ : u is a composition of smooth functions, so smooth. 
Thus, the semantics of [(<9) , || V is the differential^ of (the value of) 6, hence a differential one- 
form giving a real value for each tangent vector (i.e. vector field) described by the values u(x'). 
The values u(x') of the differential symbols x’ describe an arbitrary tangent vector or vector field. 
Along the flow of (the vector field of a) differential equation, though, the value of the differential 
(i 0)' coincides with the analytic time-derivative of 6 (Lcmma|TT|). The interpretation of predicate 
symbol p with arity n is an //-ary relation I(p) C M". The interpretation of quantifier symbol C is 
a functional 1(C) mapping subsets M C S to subsets I(C)(M ) C S. 


Definition 5 (d£ semantics). The semantics of a dC formula <f>, for each interpretation / with a 
corresponding set of states S, is the subset [f] 1 C5 of states in which 0 is true. It is defined 
inductively as follows 

1 . I6>vf = {oeS : {efv > Irjfv} 

2. |p(0r ,...,0jfc)] J = {i/eS : ([Oifv, e I(p)} 

3. [C'(0)] y = 1(C) ({f} 1 ) for quantifier symbol C 

4. 

5. IfAf] 1 = Iff n iff 

2 A slight abuse of notation rewrites the differential as [(0) , ] / = dldj 1 = dx l when x 1 ,... ,x n are the 

variables in 9 and their differentials dx‘ form the basis of the cotangent space, which, when evaluated at a point v 
whose values v(x’) determine the tangent vector alias vector field, coincides with Def.|4j 
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6. [=h0]] 7 = {u e S : zA G [0] 7 for some r G M} 

7. [0)0] 7 = [a] 7 o 0] 7 = {v : oj G [0>] 7 for some u> such that 0,cu) G |]a| 7 } 

8. |[a]0] 7 = [[—■(«)—10] 7 = {v : u G 0] 7 for all cu such that 0,ce) G [a] 7 } 

A d£ formula 0 is va/z'J z'n /, written / |= 0, iff [0] 7 = 5, i.e. u G [0] 7 for all u. Formula 0 is 

valid , written L <p, iff / |= o for all interpretations I. 

The interpretation of a program constant a is a state-transition relation 1(a) C S x S, where 
0, oS) G 1(a) iff a can run from initial state v to final state u>. 

Definition 6 (Transition semantics of HPs). For each interpretation /, each HP a is interpreted 
semantically as a binary transition relation H 7 c s x S on states, defined inductively by 

1. [a ] 7 = 1(a) for program constants a 

2. lx:=0f = {0,zA) : r = [0] 1 v} = (0,0) : u = v except [xf u = [Of v} 

3. [a:' := 0] 1 — {0, zA,) : r = [6} 1 v} = {(v, uj) : u = v except [x'] 7 o; = [6 1 ] 1 v} 

4- [?0] 7 = {0,0 : v G M 7 } 

5. 0 7 = f^^] 7 = {0, u) : I, p |= x' = 0 A -0, i.e. <00 G [x 7 = 6 1 A 0] 7 for all 0 < ( < r, 

for some function <p : [0, r] —» S of some duration r for which all ip(() (x') = dy( ^ x ^ 0) exist 

and v = 99 ( 0 ) on 0 7 } c and cc = <p(r)}\ i.e., p solves the differential equation and satisfies 0 
at all times. In case r = 0, the only condition is that v = to on 0 7 } c and u(x') = 0] 7 cc and 
u G [0] 7 . 

6. [aU^f = [a] 7 U [0] 7 

7. [a;0] 7 = [a] 7 o [0] 7 = (0,0) : 0,/r) G [a] 7 , 0,0) G [0] 7 } 

8. [a*] 7 = ([[a] 7 )* = [J [a n ] 7 with a n+1 = a n \ a and a 0 = Itrue 

nG N 

where p* denotes the reflexive transitive closure of relation p. 

The initial values v(x') of differential symbols x' do not influence the behavior of 
0, u) G [x 7 = 9 & 0] 7 , because they may not be compatible with the time-derivatives for the dif¬ 
ferential equation, e.g. in x' := 1; x' = 2, with a x' mismatch. The final values cu(x') will coincide 
with the derivatives, though. 

Functions and predicates are interpreted by / and are only influenced indirectly by v through 
the values of their arguments. So p(e) —> [x := x + 10(e) is valid if x is not in e since the change 
in x does not change whether p(e) is true (Lemma[2]). By contrast p(x) —> [x :=x + 100) is 
invalid, since it is false when I(p) — {d : d < 5} and u(x) = 4.5. If the semantics of p were to 
depend on the state v, then there would be no discernible relationship between the truth-values of 
p in different states, so not even p —>■ [x : = x + l]p would be valid. 
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2.3 Static Semantics 

The static semantics of d£ and HPs defines some aspects of their behavior that can be read off 
directly from their syntactic structure without running their programs or evaluating their dynamical 
effects. The most important aspects of the static semantics concern free or bound occurrences 
of variables(which are closely related to the notions of scope and definitions/uses in compilers). 
Bound variables x are those that are bound by \/x or 3x , but also those that are bound by modalities 
such as [x := by] or (x' = 1) or [x\—l\Jx'— 1] or [x : = 1 U Itrue]. 

The notions of free and bound variables are defined by simultaneous induction in the subse¬ 
quent definitions: free variables for terms (FV(0)), formulas (FV(0)), and HPs (FV(o;)), as well 
as bound variables for formulas (BV(©)) and for HPs (BV(aj). For HPs, there will be a need to 
distinguish must-bound variables (MBV(o;)) that are bound/written to on all executions of a from 
(may-)bound variables (BV(q)) which are bound on some (not necessarily all) execution paths 
of ct, such as in [x 1 U (x 0 ; y x + 1 )], which has bound variables {a;, y} but must-bound 
variables only {a:}, because y is not written to in the first choice. 

Definition 7 (Bound variable). The set BV(0) C V U Y of bound variables of d£ formula f is 
defined inductively as 


BV(# >r}) — BY(p(9i,.. ■ , 0k)) 
BV(C(0)) 
BV(->0) 
BV(0 A f>) 
BV(Vx0) = BV(3 x<j>) 
BV([a]0) = BV((a)0) 


0 

VU V 
BV(0) 

BV(0) U BV( , 0) 
{x} UBV(^) 
BV(a) U BV(0) 


Definition 8 (Free variable). The set FV( 6 ) CVUV' of free variables of term 9, i.e. those that 
occur in 6, is defined inductively as 


FV(x) = {x} 

FV(x') = {a;'} 

F V(f(0i, ..., e k )) = F V(0i) u • • • u FV(4) 
FV(0 + r) ) = FV(0 • r j) = F \(9) U FV ( 77 ) 
FV((0)') = FV(0) U FV(0)' 


The set FV(</>) of free variables of d£ formula f, i.e. all those that occur in f outside the scope of 
quantifiers or modalities binding it, is defined inductively as 


FV(0 > 77 ) = FV(0) U FV(t?) 

F V(p(e u ..., 9 k )) = FV( 0 1 ) U • • • U F W(9 k ) 

f y(c (</>)) = vuv' 

FV(-i0) = FV(0) 


6 



A. Platzer 


A Uniform Substitution Calculus for Differential Dynamic Logic 


FV(0 A ijj)= FV(0) U FV( , 0) 

FV(Vx 0) = FV(3 xcj)) = FV(0) \ {x} 

FV([a]0) = FV((a)0) = FV(a) U (FV(0) \ MBV(a)) 

Soundness requires that FV([«]</>) is not defined as FV(a) U (FV(0) \ BV(q)), otherwise 
[x 1 U y 2]x > 1 would have no free variables, but its truth-value depends on the initial 
value of x, demanding FV([x := 1 U y := 2]x > 1) = {x}. The simpler definition FV([a]0) = 
FV(a) U FV(</>) would be correct, but the results would be less precise then. Likewise for ( a)(p■ 
Soundness requires FV((0)') not to be defined as FV(6 ) ) / , because the value of ( xy)' depends on 
{x, x', y , y'}, since (xy)' equals x'y + xy' (Lemma[T3|). 

The static semantics defines which variables are free so may be read (FV(o)), which are bound 
(BV(a)) so may be written to somewhere in a, and which are must-bound (MBV(ai)) so must be 
written to on all execution paths of a. 

Definition 9 (Bound variable). The set BV(a) C V U V' of bound variables of HP a, i.e. all those 
that may potentially be written to, is defined inductively: 

BV(a) = V U V' for program constant a 

BV(x := 6) = {x} 

BV(x':=0) = {x'} 

BV(?-0) = 0 

BV(x' = 0&VO = {x,x'} 

BV(a U 0) = BV(a; 0) = BV(a) U BV(/3) 

BV(a*) = BV(a) 

Definition 10 (Must-bound variable). The set MBV(o;) C BV(a) C V U V of must-bound vari¬ 
ables of HP a, i.e. all those that must be written to on all paths of a, is defined inductively as 

MBV(a) = 0 for program constant a 

MBV(a) = BV(cc) for other atomic HPs a 

MBV(a U 0) = MBV(a) n MBV(/3) 

MBV(a; 0) = MBV(a) U MBV(/3) 

MBV(cC) = 0 

Obviously, MBV(a) C BV(a). If a is only built by sequential compositions from atomic 
programs without program constants, then MBV(o) = BV(o). 

Definition 11 (Free variable). The set FV (a) C V U V of free variables of HP a, i.e. all those that 
may potentially be read, is defined inductively as 


FV(a) = VUV' 
FV(x := 9) = FV(x' := 9) = FV(0) 
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FV(?V>) 
FV(z' = 6k^) 
FV(a U p) 
FV(o:; P) 
FV(a*) 


FV( , 0) 

{x} U FV(0) U FV(^) 

FV(a) U FV(/3) 

FV(a) U (FV(/3) \ MBV(a)) 
FV(a) 


The variables of HP a, whether free or bound, are V (a) = FV (a) U BY (a) 


The simpler definition FV(a U P) — FV(a) U FV(/3) would be correct, but the results would 
be less precise then. Unlike x, the left-hand side x' of differential equations is not added to the 
free variables of FV(V = 6 ip), because its behavior does not depend on the initial value of 
differential symbols x', only the initial value of x. Free and bound variables are the set of all 
variables V and differential symbols V' for program constants a, because their effect depends on 
the interpretation /, so may read and write all FV(a) = BV(a) = V U V but not on all paths 
MBV(a) = 0. Subsequent results about free and bound variables are, thus, vacuously true when 
program constants occur. Corresponding observations hold for quantifier symbols. 

The static semantics defines which variables are readable or writable. There may not be any 
run of a in which a variable is read or written to. If x cf_ FV(o). though, then a cannot read the 
value of x. If x qL BV(a), it cannot write to x. Def. 11 is parsimonious. For example, x is not a 
free variable of the following program 


(x 1 U x : = 2)• z := x + y 


because x is never actually read, since x must have been defined on every execution path of the 
first part before being read by the second part. No execution of the above program, thus, depends 
on the initial value of x, which is why it is not a free variable. This would have been different for 
the simpler definition 

FV(a; P) = FV(a) U FV(/3) 

There is a limit to the precision with which any static analysis can determine which variables are 
really read or written llT2l . The static semantics in Def. [IT] will, e.g., call x a free variable of 
the following program even though no execution could read it, because they fail test ?false when 
running the branch reading x: 

z := 0; (? false] z:= z + x)* 

The signature, i.e. set of function, predicate, quantifier symbols, and program constants in cj) 
is denoted by £(</>) (accordingly for terms and programs). It is defined like FV(0) except that all 
occurrences are free. Variables in V U V are interpreted by state u. The symbols in £(</>) are 
interpreted by interpretation I. 


2.4 Correctness of Static Semantics 

The following result reflects that HPs have bounded effect: for a variable x to be modified during 
a run of a, x needs the be a bound variable in HP a, i.e. x G BV(ct), so that a can write to x. The 
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converse is not true, because a may bind a variable x, e.g. by having an assignment to x, that never 
actually changes the value of x, such as x := x or because the assignment can never be executed. 
The following program, for example, binds x but will never change the value of x because there is 
no way of satisfying the test ? false: (? false-, x := 42) U z x + 1. 

Lemma 1 (Bound effect lemma). If(u,u) G [a] 1 , then v — u on BV(a) c . 

Proof. The proof is by a straightforward structural induction on a. 

• Since BV(a) = V U V 7 , the statement is vacuously true for program constant a, because 
BV(a) c = 0. 

• (u, of) G [x := 9] 1 — {(v, u) : c o — v except that [x] J u; = [6>] 7 zz} implies that v = ui except 
for {x} = BV(x := 9). 

• (u,uj) G \x' := 9] 1 = {(z/, cc) : u = v except that [x'J^a; = [OjV} implies that v = ui ex¬ 
cept for jx'} = BV(x' := 9). 

• (V, v) G PV 1 ] 1 = {(u v) : v G If} 1 i.e. v G I'fj 1 } fits to BV(?^) = 0 

• (u,uj) G [x' = 9 k. 'ip 1 implies that u = u except for the variables with differential equa¬ 
tions, which are {x,x'} = BV(x / = 9 Szt/f) observing that v(x') and c o(x') may differ by 
Def.lU 

• G [a U /3} 1 = [a] 7 U [/ 3 ] 7 implies (v,oj) G [aj ; or (V, u) G {/3] 1 , which, by induction 
hypothesis, implies v = cc on BV(a) c or v = oj on BV(/3) C , respectively. Either case implies 
v = u on (BV(a) U BV(/3)) C = BV(a U /3) c . 

• (u, of) G [a; /3] 1 = [a] 1 o i.e. there is a )jl such that (z/, fi) G [a] 7 and (//, of) G [/3]. So, 
by induction hypothesis, v = fi on BV(q) c and fi = u on BV(/3) C . By transitivity, v = oj on 

(BV(q) U BV(/3)) c = BV(a; (3) c . 

• (u, u>) G [a*] 1 = |^J [a n ] 7 , then there is an n G N and a sequence u 0 = = u> 

nG N 

such that (ui, u i+ f) G [a] for all i < n. By n uses of the induction hypothesis, = u i+x on 
BV(a) c for all i < n. Thus, v = u 0 = u n = u> on BV(q) c = BV(a*) c . 


□ 

Similarly, only BV(0) change their value during the evaluation of formulas. 

The value of a term only depends on the values of its free variables. When evaluating a term 9 
in two states u, v that differ widely but agree on the free variables FV(6 ) ) of 9, the values of 9 in 
both states coincide. Accordingly for different interpretations I, J that agree on the symbols E (9) 
that occur in 9. 

Lemma 2 (Coincidence lemma). Ifv = v on FV{9 ) and I = J on E (9), then [6 1 ] 7 v = [0] J v. 
Proof. The proof is by structural induction on 9. 
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• [xjV = u(x) = v(x) = [x] J y for variable x since u = u on FV(x) = {x}. 

• Ix'fy = y{x') = v{x') = [x 7 ]' y F for differential symbol x' since v = v on FV(x 7 ) = {x 7 }. 

• ■■■,0k)j I y = i(f)(P ifu - , \0kfy) = ■, [ 0 k ] J y) = [/(0 1 ,... A)]’ 7 *' 

by induction hypothesis, because FV(0j) C FV(/(0 1; ..., 0 k )) and / and J were assumed to 
agree on the function symbol / that occurs in the term. 

• + vY u — I #] 7 v + {hY u = [ 6*1 'y + {rjl J y = [0 + i]} J y by induction hypothesis, because 
FV(0) C FV(0 + rj) and F \(rj) C FV(0 + rj). 


• \6 ■ r/Yy = \0Yy ■ [rifv = [ Oj J y ■ [ 77 ] J z/ = [0 ■ rj\ J y by induction hypothesis, because 
FV(0) C FV(0 • rj) and FV(r/) C FV(0 ■ rj). 


• [m 1 * = 




d[0Yv? 

dX 


J2h x ') 


dm 1 *? 

dX 


IH 




m J "Y 

dX 


since y 


v on 


FV((0) 7 ), which includes all differential symbols x 7 for all x £ FV(0) (the others have 
partial derivative 0 so do not contribute to the sum), and by induction hypothesis on the 
simpler term 0, because FV(0) C FV((C) 7 ). Note that partial derivatives are functional, i.e. 
the partial derivatives by X of and [0 ] J ujj agree since, by induction hypothesis, 

[0fl Vf = [0 ] J yjY f° r all X since yf = i)f on {x} U FV(0) since x is interpreted to be A" in 
both states and v = v on FV( 0 ) already. 


□ 

By a more subtle argument, the values of d£ formulas also only depend on the values of their 
free variables. When evaluating d£ formula 0 in two states y, u that differ but agree on the free 
variables FV(0) of 0, the (truth) values of 0 in both states coincide. Lemma[3]and[4]are proved by 
simultaneous induction. 

Lemma 3 (Coincidence lemma). If v = v on FV(f) and I = J on E(0), then u £ [0j J iff 

Proof The proof is by structural induction on 0. 

1- y e [p(0i,...,0 fc )J / iff ([0 i] 7 A ...,{6 k fy) £ I(p) iff ([0r ] J F,..., [ 0 fe ] J F) £ J(p) iff 
y £ [p(0i,..., 0 fc )| 3 by Lemma[2] since FV(00 C FV(p(0i,..., 0 k )) and / and J were as¬ 
sumed to agree on the function symbol p that occurs in the formula. 

2. v £ [0 > if 1 iff \0Yy > lvY u iff l®i J v — lv] J v iff y G [0 > rj] J by Lemma[2] since 
FV (0) U FV (rj) C FV (0 > rj) and the interpretation of > is fixed. 

3. Z/ £ {cm 1 = 1(C) ([0] 7 ) iff(IH) V £ [U(0)] J = J(C)([0] J ) since z/ = v on FV(C(0)) = 
V U V 7 , so v — y, and I = J on £(C(0)) = {C} U E(0), so 1(C) = J(C ) and, by induction 
hypothesis, [ 0] 7 = [ 0 ]’ y . 
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4. v G [-10] 7 iff v 0 [0] 7 iff(IH) v 0 [0] J iff v G [->0 ] 3 by induction hypothesis as FV(-i0) = 
FV(o). 

5. z/ G [0 A -0] 7 iff z/ G [0] 7 fl [0] 7 iff(IH) z> G [0] J n [0] J iff F e [0 A by induction hy¬ 
pothesis using FV(0 A ip) — FV(0) U FV(-0). 

6 . 1 / G [3x 0] 7 iff zA G |0] 7 for some r 6 R iff u r x G [0] 7 for some r 6 R iff(H) u G [3x0] J 
for the same r by induction hypothesis using that zA = zA on FV(0) C {x} U FV(3x 0). 

7. The case Vx 0 follows from the equivalence Vx 0 = ->3x ->0 using FV(->3x ->0) = FV(Vx 0). 

8 . z/ G [(a)0] 7 iff there is a cc such that (z/,cc) G [a] 7 andcu G [0] 7 . Since z/ = z>onFV((a)0) D 
FV(a) and (z/, cc) G [a] 7 , Lemma[4] implies with I = J on E(a) that there is an Co such that 

{y,Lo) G {a] J and co = Co on FV((a)0) U MBV(a) = FV(a) U (FV(0) \ MBV(a)) U 
MBV(a) = FV(a) U FV(0) U MBV(a) D FV(0). 


on FV((a)0) 
D FV(a) 


v ->• u 


a 


a 

v -* CO 


on FV((a)0) U MBV(a) D FV(0) 


Since, co = Co on FV(0) and I = J on E(0), the induction hypothesis implies that to G [0 ] 7 
since co G [0] 7 . Since (v,Co) G [a] J , this implies u G [(a)0] J . 

9. v G [[a]0 ] 7 = [~'(a)-'0 ] 7 iff z/ ^ [[(cv)— 10] 7 iff z> ^ [(a)-i0 ] 7 iff v G [[a]0] J by induction 
hypothesis using FV((a)-i0) = FV([a]0). 

□ 

In a sense, the runs of an HP a also only depend on the values of its free variables, because its 
behavior cannot depend on the values of variables that it never reads. That is, if v = v on FV(a) 
and (z/, co) G [a] 7 , then there is an Co such that (z>, Co) G [a] J and co and Co agree in some sense. 
There is a subtlety, though. The resulting states co and Co will only continue to agree on FV(a) and 
the variables that are bound on the particular path that a took for the transition (z/, co) G [a] 7 . On 
variables 0 that are neither free (so the initial states v and v have not been assumed to coincide) 
nor bound on the particular path that a took, co and Co may continue to disagree, because z has not 
been written to. 

Example 1. Let (z/,co) G [a] 7 . It is not enough to assume v = z> only on FV(a) in order to 
guarantee u = uonV(a) for some Co such that (z>, Co) G [a] J , because 

def 

a = x := 1 U y := 2 

will force the final states to agree only on either x or on y, whichever one was assigned to during 
the respective run of a, not on both BV(a) = {x, y}, even though any initial states u, z> agree on 
FV(a) = 0. Note that this can only happen because MBV(a) = 0 ^ BV(a) = {x, y}. 
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Yet, u and O agree on the variables that are bound on all paths of a, rather than somewhere in 
a. That is on the must-bound variables of a. If initial states agree on (at least) all free variables 
FV(a) that HP a may read, then the final states agree on those as well as on all variables that a 
must write, i.e. on MBV(a). 


Lemma 4 (Coincidence lemma). If u = v on V D FV(a ) and I = J on E(a) and (v, oj) G [a] 7 , 
then there is an Cj such that (F, 0) G [a ] -7 and oj = 0 onV U MBV(a). 

on BV(af 


onVD FV(a) 


a 


oj 


on V U MBV(a) 


a 



on BV(a) c 


Proof. The proof is by induction on the structural complexity of a, where a* is considered to be 
structurally more complex than HPs of any length but with less nested repetitions, which induces 
a well-founded order on HPs. For atomic programs a, for which BV(a) = MBV(a), it is enough 

def 

to conclude agreement on V(a) = FV(a) U BV(a) = FV(a) U MBV(a), because any variable in 
V \ V(a) is in BV(a) c , which remains unchanged by a according to Lemma[Ij 

• Since FV (a) = V U V so v = F, the statement is vacuously true for program constant a. 

• (v,oj) G {x := 9] 1 = {(z/, cu) : u = v except that [x] J u; = [6>] 7 z^} then there is a transition 
(i/,0) G \x := 9} J and 0(x) = {x] J 0 = {9] J i> = [9^0 = [x] 7 c o = u(x) by Lemma[3j since 
v = v on FV(x := 9) = FV(9) and / = J on £(0). So, u> = 0 on BV(a: := 9) = {x}. Also, 
v = u on BV(x := 6 ) ) c and v = cc on BV(x := 9) c by Lemma[lj Since v = v on FV(x := 9), 
these imply u = 0 on FV(x := 9) \ BV(x := 9). Since u> = 0 on BV(x := 9) had been 
shown already, this implies oj = O on V(x := 9). 

• (i/,ui) G \x' -.— Oy = {(u,i/f) : r = [0] 7 z/}. As [9^0 = [0] J z> by Lemmajijsince FV( 6 I ) C 
FV(x' := 9), this implies (z>, v r x ,) G \xf := 9} J = {(z>, uf) : r = [#] J h}. By construction 
ui = v r x , on BV(x' := 9) = {x'} and they continue to agree on FV (x' := 9) \ BV(x' := 9). 

• (i/,oj) G y.f] 1 = {(v, u) : v G If] 1 i.e. v G [V'l / } then oj = v by Def.^J Since, v G ff] 1 
and v = z> on FV (If) and I = J on T*(f), Lemma[i]implies that F G iff , so (u,i>) G l?f] J . 
So v = v on Y(?f) since BV(?^) = 0. 

• (i/,oj) G \x' = Qhf] 1 implies that there is an O reached from z> by following the differ¬ 
ential equation for the same amount it took to reach oj from v. The solution will be the 
same, because / = J on S(x' = 9 Szf) and v = v on FV(x' = 9Scf), which, using 
Lemma[3j contains all the variables whose values the differential equation solution depends 
on. Thus, both solutions agree on all variables that evolve during the continuous evolution, 
i.e. BV(x' = 91k, f). Thus, (i>,0) G \x' = 9!kf\ J and oj = O on N(x' = 9 k, f). 
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• G {a U /3} 1 = [a] 7 U f/3] 7 implies (u,oo) G [a:J 7 or (z/, c o) G [/3] 7 , which since V D 

FV(a U (3) D FV(a) and V D FV(a U /?) D FV(/3) implies, by induction hypothesis, that 
there is an Co such that (F, Co) G fa| 3 and co = a) on V U MBV(a) or that there is an Co such 
that (F,w) G [^] J and co = co on V U MBV(/3), respectively. In either case, there is a a; 
such that (F, Co) G [a U ,8] J and co = Co on V U MBV(a U /3), because [a] 3 C [a U fi\ 3 and 
IP] J C[« u tf and MBV(a U /3) = MBV(a) n MBV(/3). 


on BV(a) C 


ui 


on V 2 


a 

FV(a U p) 



D FV(a) 

/ - 

a 

* L0 


on VU 
MBV(a) 


on BV(a) C 


on V 2 
FV(a U p) 
2 FV(/3) 


on BV03) C 



on BV(/?) C 


ui 

on VU 
MBV(/3) 

ui 


• (u,co) G [a;/?] 7 = [a] 7 o {/3} 1 , i.e. there is a /i such that (u, /j) G [a] 7 and (/x, co) G {/3} 1 . 
Since V D FV(a; /3) D FV(a), by induction hypothesis, there is a jl such that (F, p) G [a] -7 
and ii = fi on UUMBV(a). Since V D FV(a; p), so UUMBV(a) D FV(a; ,5)UMBV(a) = 
FV(a) U (FV(/3) \ MBV(a)) U MBV(a) = FV(a) U FV(/3) U MBV(a) D FV(/3) by 
Def. llj and since (//, co) G [/3] 1 , the induction hypothesis implies that there is an Co such 
that (pui) G [P] J and co = Co on (V U MBV(a)) U MBV(/3) = V U MBV(a; ft). 


on BV(a) C on BV(/3) C 


on V 2 
FV(a;P) 
2 FV(a) 



on VU 
MBV(q) 


a 



on BV(a) C 



CJ 

on V U MBV(a) 
UMBV(/3) 

CJ 


• (u,co) G [a *] 7 = |^J [a n ] 7 iff there is an n G N such that (z/, c o) G [a"] 7 . The case n = 0 

n£ N 

follows from the assumption v = F on V 2 FV(a), since co = v holds in that case and 
MBV(cC) = 0. The case n > 0 proceeds as follows. Since FV(a n ) = FV(a*) = FV(a), 
the induction hypothesis applied to the structurally simpler HP a n implies that there is an 
Co such that (F, Co) G [a n ] J and co = Co on V U MBV(a n ) D V = V U MBV(a*), since 
MBV(a*) = 0. Since [a n ] 7 C [a*]' 7 , this concludes the proof. 


□ 

When assuming v and F to agree on all V(o), whether free or bound, co and Co will continue to 
agree onV(a): 
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Corollary 5 (Coincidence lemma). If v = v on V(a) and I = J on £(a) and (u, u) G {a} 1 , then 
there is an a; such that (v,ut) G [a] J and uj = Cj on V(a). The same continues to hold if v = v 
only on V(a) \ MBV(a). 

Proof By Lemma[4]with V = V(a) D FV(a) or V — V(a)\ MBV(a), respectively. □ 

Remark 1. Using hybrid computation sequences, the agreement in Lemma[4] continues to hold for 
u = Cj on V U W, where W is the set of must-bound variables on the hybrid computation sequence 
that a actually took for the transition (u,u>) G [a;] 7 , which could be larger than MBV(o). 


3 Uniform Substitutions 

The uniform substitution rule |USi| from first-order logic (2] §35,40] substitutes all occurrences of 
predicate p(-) by a formula C(•), i.e. it replaces all occurrences of p(9), for any (vectorial) term 9, 
by the corresponding f)(9) simultaneously: 


(US,) 



(US) 


4 > 

(j(0) 


Rule [US]] [9| requires all relevant substitutions of f>(9) for p{9) to be admissible and requires that 
no p{9) occurs in the scope of a quantifier or modality binding a variable of ip (9) other than the 
occurrences in 6; see E §35,40], 

This section considers a constructive definition of this proof rule that is more general: IUS1 The 
d£ calculus uses uniform substitutions that affect terms, formulas, and programs. A uniform sub¬ 
stitution cr is a mapping from expressions of the form /(•) to terms cr/(-), from p(-) to formulas 
ap(-), from C'(_) to formulas crC(_), and from program constants a to HPs aa. Vectorial extensions 
are accordingly for uniform substitutions of other arities k > 0. Here • is a reserved function 
symbol of arity zero and _ a reserved quantifier symbol of arity zero. Figure [T| defines the result 
cr(0) of applying to a d C formula 0 the uniform substitution a that uniformly replaces all occur¬ 
rences of function / by a (instantiated) term and all occurrences of predicate p or quantifier C by a 
(instantiated) formula as well as of program constant a by a program. The notation crf(-) denotes 
the replacement for /(•) according to a, i.e. the value cr/(>) of function a at /(•). By contrast, 
a{4>) denotes the result of applying a to f according to Fig. [I] (likewise for a(8) and cr(a)). The 
notation / G a signifies that a replaces /, i.e. crf (-) f /(•). Finally, a is a total function when 
augmented with crg(-) = g(-) for all g <f o. Accordingly for predicate symbols, quantifiers, and 
program constants. 


Definition 12 (Admissible uniform substitution). The uniform substitution cr is U-admissible for 
</> (or 9 or a , respectively) with respect to the set U C V U V iff FV(cr| s ^)) n (7 = 0, where crfip) 
is the restriction of a that only replaces symbols that occur in 0 and FV(cr) = Ufe<r FV( a /(')) U 
Upea- FV(crp(-)) are the free variables that a introduces. The uniform substitution cr is admissible 
for 0 (or 9 or a, respectively) iff all admissibility conditions during its application according to 
Fig.[T|hold, which check that the bound variables U of each operator are not free in the substitution 
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on its arguments, i.e. cr is f/-admissible. Otherwise the substitution clashes so its result cr(0) (cr(0) 
or a (a)) is not defined. 

IUSI is only applicable if a is admissible for 0. In all subsequent results, all applications of 
uniform substitutions are required to be defined (no clash). 


a(x) 

= 

x 

for variable x G V 

cr(x') 

= 

x' 

for differential symbol x' e V 

*(m) 

= 


for function symbol / e a 

oW)) 

= 

9{a{0j) 

for function symbol g 0 cr 

cr(0 + rj 

= 

ct( 9) + a(rj 


a(6 ■ rj 

= 

cr(9) ■ a{rj 


°W) 

= 

(*(*))' 

if a V U V -admissible for 9 

a{9 > rj) 

= 

a(9) > o{rj 


o{p(6)) 

= 

(a(p))(a(9)) d M{^a(9)}(ap( •)) 

for predicate symbol p G cr 

cr(q(9)) 

= 

q(cr(9)) 

for predicate symbol qpL o 


= 

a(C)(a(cP)) d M{_^a(cP)}^C(j) 

if a V U V'-admissible for 0, C G cr 

(<!>)) 

= 

C(a((p)) 

if cr V U V'-admissible for (p,C 0 a 


= 

_,cr (0) 


cr(0 A 0) 

= 

a(cp) A a(0) 


cr(Vx 0) 

= 

Vx cr(0) 

if a {a;}-admissible for 0 

cr(=3x cp) 

= 

3x cr( 0 ) 

if a {a;}-admissible for 0 

o-([a] 0 ) 

= 

[a(a)]a((p) 

if a BV(cr(a))-admissible for 0 

a((a)cp) 

= 

(cr(a))cr( 0 ) 

if cr BV(cr(a))-admissible for 0 

cr(a) 

= 

aa 

for program constant a G a 

a(b) 

= 

b 

for program constant b 0 cr 

a(x :=9) 

= 

x := a(9) 


cr(x' := 9) 

= 

x' := <j{9) 


cr(x' = 9 &0) 

= 

x' = <j( 9) &,a(ip) 

if a (x, x'}-admissible for 9 ,0 


= 

lapip) 


a (a U (3) 

= 

a(a) U a((3) 


cr(ar,/3) 

= 

a(a);a(/3) 

if cr BV(cr(a))-admissible for 0 

a(a*) 

= 

(a(a)r 

if cr BV(a(a))-admissible for a 


Figure 1: Recursive application of uniform substitution cr 


3.1 Correctness of Uniform Substitutions 

Let Ip denote the interpretation that agrees with interpretation / except for the interpretation of 
predicate symbol p, which is changed to R C M. Accordingly for predicate symbols of other 
arities, for function symbols /, and quantifiers C. 
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Corollary 6 (Substitution adjoints). The adjoint interpretation a*I to substitution a for I, v is the 
interpretation that agrees with I except that for each function symbol f G a, predicate symbol 
p e a, quantifier C G a, and program constant a € a: 

</(/): M M; d H- [<rf(-)f-v 
K J (p) = {deR : ve [crp(-)] J -} 
alI(C) : p(K) -)■ p(K); R ^ [trCyf- 

= M 7 

Ifv = u on FV(cr), then ^1 = a^I. If a is U-admissible for f (or 9 or a, respectively) and u = u> 

n 

on U , then 


W ZI = l e Y ZI Le ■ M KI d = W 1,1 P for all p 

m atI = m aZ1 

lap 1 = 


Proof For well-definedness of ex* J, note that ex* I (/) is a smooth function since af(-) has smooth 
values. First, all (a) = [ aa ] y = cr*/(a) holds because the adjoint to a for I,u in the case of 
programs is independent of v (the program has access to its respective initial state at runtime). 
Likewise a* u I(C) = a* u I(C) for quantifiers. By LemmajiJ [<x/(-)] /, i' = {affp-ui when v = oj 
on FV(cr/(-)). Also v G [cxp(*)] 7, iff u e [crp(-) j 1 ' 

Thus, all = cr*/ when v = uj on FV(cr). 

If cr is (7-admissible for 0 (or 9 or a), then FV(er/(•)) D U = 0 so FV(cr/(*)) C (7 C for every 
function symbol / e E(©) (or 9 or a) and likewise for predicate symbols p G E(0). Since o = oj 
on (7 C , so cr* / = cr*/ on the function and predicate symbols in E(0) (or 9 or a). Finally a* I = all 


by Lemma 3 when v = u on FV(crp(-)). 


implies that to G [0] “ iff v e 
by Lemma|4j 


by Lemma[3]and that 


by LemmaJ^j and that 

□ 


a 


= a 


Substituting equals for equals is sound by the compositional semantics of d C. The more general 
uniform substitutions are still sound, because interpretations of uniform substitutes correspond to 
interpretations of their adjoints. The semantic modification of adjoint interpretations has the same 
effect as the syntactic uniform substitution, proved by simultaneous induction. Recall that all 
substitutions in the following are assumed to be defined (not clash), otherwise the lemmas make 
no claim. 


Lemma 7 (Uniform substitution lemma). The uniform substitution a and its adjoint interpretation 
cr*/, v to a for /, v have the same term semantics: 

la(9)fu = l9p J u 

Proof The proof is by structural induction on 9. 

• [cr(o:)]V = [xj 1 v = v(x) = since x ^ a for variable x G V 
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• \a(x')Y v = \x’\ : v = is(x') = as x 1 ^ a for differential symbol x' £ V 

• Mf(0)) f" = lW))(e(0)) fis = [{• ^ cr( 0 )}(o-/(.))fi/ = \<rf(-)f d -is = MJ(f))( d ) 
= (<r*I(/))([$] a 1,1 is) = \f(0)Y vI v with d = |[cr( 6 >)] J z^ = {d] CTvI u by using the induction hy¬ 
pothesis twice, once for a(9) on the smaller 6 and once for {• i —> cr(9)}(af(-)) on the possi¬ 
bly bigger term af(-) but the structurally simpler uniform substitution {• (->• a(9)}(. ..) that 
is a substitution on the symbol • of arity zero, not a substitution of functions with arguments. 
For well-foundedness of the induction note that the • substitution only happens for function 
symbols / with at least one argument 6 (for f £ a). 

• leW))} 1 ” = {^(Offis = I(g)(la(9)fis) = I(g){{d] aZI u) = o* v I{g)({0Y'* J is) = 
\(j{(j)\ rTu u by induction hypothesis and since 1(g) = a* u I(g ) as the interpretation of g does 
not change in cr*J for g cr. 


• K0 + g)fis = [*(0) + a(g)fis = [a(0)] 7 i/+ Mg)} 1 is 1 [0]^+ = 

by induction hypothesis. 


[i 0 + if 7 " 1 is 


• K# ■ v)fv = M&) ■ = la(9)fu ■ {a(g)fu = 

induction hypothesis. 


{gf^u = \9 ■ gY" 1 v by 


H W)U = [M»))'U = E* B E, "M 


m 


dX 




<r v !,.X 


dX 


l(e)T v u by induction hypothesis, provided a is V U V'-admissible for 9, i.e. does not in¬ 
troduce any variables or differential symbols, so that Corollary [6] implies cr*J = a*.I for all 
is, oj (that agree on (V U V') c = 0, which imposes no condition on is, c o). 


□ 

Lemma 8 (Uniform substitution lemma). The uniform substitution a and its adjoint interpretation 
all, is to a for /, v have the same formula semantics: 

is £ [a(f)Y iff is £ IfY 11 

Proof The proof is by structural induction on f. 

• is £ [a (9 > g)} 1 iff is £ [cr(0) > ex(? 7)] 7 iff \a(6)f is > {a(g)Yis, by Lemma]?} iff I#]' 7 " 7 // > 

J?]]^ 7 // iff \6 > gY" 1 v 

• is £ [cr(p(6»))] 7 iff iz G {(a(p)) (a(9))f iff is G [{• ^ (T(0)}(orp(-))] 7 iff,byIH,z/e I ap(-)f d - 

iff d £ a* v I(p) iff ([0] <Tl,7 z') G cr*/(p) iff is £ [p(6 l )] 0 ' l/7 with d = f \o(0)Yis = [0] <Tl ' 7 z/ by us¬ 
ing Lemma|7]for a(9) and by using the induction hypothesis for {• i—> cr(0)}(crp(*)) on 
the possibly bigger formula ap(-) but the structurally simpler uniform substitution {• H» 
a(9)}(.. .) that is a mere substitution on symbol • of arity zero, not a substitution of predi¬ 
cates (for p £ a). 
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• v e |o-(g(6»))] 7 iff v G [g(cr(0))] 7 iff ([<r(0) fv) E /(g) so, by Lemma|7| iff G 

/(g) iff ([0 ] ct " 7 z/) E cr*/(g) iff z/ G [g(6 , )] cri ' 7 since /(g) = cr*/(g) as the interpretation of g 
does not change in cr*/ (for q a) 

• For the case cr(C(0)), first show [cr(0)] i = ^J' 7 " 7 . By induction hypothesis for the smaller 
0: cu G [cr(0)| / iff uj G [0] 0 " 7 , where [0]°“ 7 = [< j i]' 7 " 7 by Corollary [6] for all z/, cc (that agree 
on (V U V') c = 0, which imposes no condition on u, uj) since cr is V U V'-admissible for 0. 
The proof then proceeds: 

v G [cr(C(0))] 7 = [cr(C)(cr(0))] 7 = [{_ t-G cr(0)}(crC(_))] 7 , so, by induction hypothesis 
for the structurally simpler uniform substitution {_ i-g cr(0)} that is a mere substitution on 
symbol _ of arity zero, iff v G [cxC'(_)] 7 - since the adjoint to {_ i-g cr(0)} is I R with R = 

Also V G [C{(t))Y ZI = <r* v I{C){[(j)Y tI ) = [o-cgf- for/? = [0f ;7 = [<x(0)] 7 by induction 
hypothesis. Both sides are, thus, equivalent. 

• The case a(C(<f>)) for C ^ a again first shows [cr(0)] 7 = \(j)Y vI for all v using that cr is V U 
V'-admissible for 0. Then v G [o-((7(0))] 7 = [C7(cr(0))] 7 = 1(C) (H0)] 7 ) = 1(C) (M^ 7 ) 

= *;i(C)([C ;j ) = [W)]^ iff * 6 lcm atI 

• z/ G [cr(—i0)l 7 iff z/ G icr(0)l J iff z/ ^ [<t(</>)] 7 , by induction hypothesis, iff v [^l^ 7 iff 

v e bW ZI 

• z/ G [cr(0 A 0)] 7 iff v G [cr(0) A cr(0)] 7 iff zc G [cr(0)] ; and v G [cr(-0)] 7 , by induction hy¬ 
pothesis, iff v G [0] CTl/7 and z/ G [V’F 1 ' 7 iff v G [0 A '0] 0 ' 1 ' 7 


z/ G |cr(3x0)] 7 iff v G [3cccr(0)] J (provided cr is {ccj-admissible for 0) iff z/? G [cr 

(j* T 

some d, so, by induction hypothesis, iff z/? G [0] 


for 


vi G 


by Corollary 


v 't for some d, which is equivalent to 
as cr is (x}-admissible for 0 and v = z/? on (cc} c . Thus, this is 


equivalent to z/ G [3cc0] <7 ‘ / . 


• The case v G [cr(Vx 0)] 7 follows by duality \/x 0 = -i3x —>0, which is respected in the defi¬ 
nition of uniform substitutions. 


v G [cr((a)0)] 7 iff z/ G [(cr(a))cr(0)] / (provided a is BV(cr(a))-admissible for 0) iff there 
is a u such that (zaw) G [cr(a)] 7 and , which, by Lemma[9] and induction hy¬ 

pothesis, respectively, is equivalent to: there is a u such that (u, uj) G [a]' 7 " 7 and uj G [0]°“ 7 , 
which is equivalent to z/ G |(a)0) " v , because uj G [0] <t “ 7 is equivalent to uj G IC by 
Corollary[6 as cr is BV(cr(a))-admissible for 0 and z/ = uj on BV(cr(a)) c by Lemma|T]since 
(v,uj) G [tr(a) f. 


The case v G [cr([a]0)] 7 follows by duality [a]0 = 
nition of uniform substitutions. 


(cc)-|0, which is respected in the defi- 
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□ 


Lemma 9 (Uniform substitution lemma). The uniform substitution o and its adjoint interpretation 
a* I, v to a for I, is have the same program semantics: 

iy,u) e Ha )] 7 ijf(v,u) e [af ZI 


Proof The proof is by structural induction on a. 

• (is,us) G [cr(a)] 7 = [era] 7 = cr*/(a) = [a] 0 ' 1 ' 7 for program constant a G cr (the proof is 
accordingly for a £ cr). 

• (is, to) G [cr(x - =0)Y = [x := a (6 )] 7 iff to = v = is^ " u by Lemmajs] which is, thus, 

equivalent to (is,co) G [x := 0]°" . 

• (is,uf) G [cr(V := 0)] 7 = [x 7 := o'(0)J / iff oo = ^ = is^ " u by Lemmajs] which is, 

thus, equivalent to (is, 00 ) G \x' := 6 1 ] 0 " 7 . 

• (is, 00 ) G [cr(?-0)]' / = [?cx(^)] / iff c o = is and 1 / G [a^)] 7 , iff, by Lemmajs} co — v and 
v G ['0] <7 " 7 , which is equivalent to (is,ut) G [TV-’] 0 '" 7 . 


(is,co) G \a(x' = OhiffY = \x' - 
iff 3p : [0, T] —>■ 5 with 99 ( 0 ) = 


¥>(*) e 


•’(‘i 99(f) by Lemma 

/ 


0 


as well 


¥>(*) 


= a (9) &cr('0)] 7 (provided a {x, x'j-admissible for 9,f>) 
is,<p(T) = to and for all f > 0 : 99 '(f) = {a(9)Y p(t) = 
as 99 (f) G [cx('0)] 7 , which, by Lemmajs} is equivalent to 


Also (is, cu) G [x' = 9 & YY" 1 iff 399 : [0, T] —> S with 99 ( 0 ) = is, 9 o(T) = to and for all f > 
0: 99 '(f) = ieY^pit) and 99 (f) G ['0] 0 ' 1 ' 7 . Finally, [ 6>] <T '' 7 = [0]°W ) 7 and = f'0 ] 0 "" 7 

by Corollary[ 6 j since a is {x, x'}- admissible for 9,f) and v = 99 (f) on BV(x / = 9 kefff = 
{x, x'} c by Lemma[l] 


• (is,uf) G [er(a U /3)} 1 = [cr(a) U cr(/3 )] 7 = [cr(a )] 7 U |[cr(/5)] 7 , which, by induction hypothe¬ 
sis, is equivalent to (is, to) G [a]' 7 " 7 or (is, to) G |5] <T " 7 , which is equivalent to (is,uj) G [aY * J u 

IPY ZI = la 


• (is,co) G [cr(a;/3 )] 7 = [cx(a); cr(/3 )] 7 = [a(a)] 7 o[cr(,5 )] 7 (provided cr is BV(cr(a))-admissible 
for f$) iff there is a p such that (is, p) G [< x ( q ;)] 7 and (p,c 0 ) G |cr(/3)] 7 , which, by induction 
hypothesis, is equivalent to (is, p) G [a] 0 ' 1 ' 7 and (p,c 0 ) G [/S?]' 7 '' 7 . Yet, [/^J^ 7 = [/3] 0 ' 1 ' 7 by 
CorollaryJfiJ because a is BV(cr(a))-admissible for (3 and is = uj on BV(cr(a)) c by Lemmajl] 
since (is, p) G [cr(a)] 7 . Finally, (is, p) G [a ]' 7 " 7 and (p, c 0 ) G [/3] 0 ' 1 ' 7 f° r some p is equivalent 
to (is,u) G {a-,(3Y l ■ 


• (is, to) G {cr(a*)Y = [(^(a ))*] 7 = (H«)]T = ILf^H ")] 7 ) 71 (provided a is BV(<r(a))- 
admissible for a ) iff there are n G N and is 0 — is, isi,..., v n — u such that (iSi, is i+ 1 ) G [cr(a)J 
for all i < n. By n uses of the induction hypothesis, this is equivalent to (isi, is l+ \) G [a | 
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for all i < n, which is equivalent to (V, : . u i+ 1) G [a]| 1 by Corollary ^ since a is BV(cr(a))- 
admissible for a and u l+x = u t on BV(a(a)) c by Lemmahlas (z/j, u i+1 ) G [cr(a)] 7 for all 
i < n. Thus, this is equivalent to (u,ut) G [a*]' 7 '' 7 = ([“F ;*• 

□ 


3.2 Soundness 


The uniform substitution lemmas are the key insights for the soundness of IUS1 lUSl is only appli¬ 
cable if the uniform substitution is defined (does not clash). 


r.e. v G 


Theorem 10 (Soundness of uniform substitution). \US\ is sound and so is its special case \USi\ That 
is, if their premise is valid, then so is their conclusion. 

Proof. Let the premise f of lUSI be valid : ~ - - 
show that t 
By Lemma 
for o* u I, u, 
symbol p. 


for all interpretations and states /, v. To 

i 


re conclusion is valid, consider any interpretation and state I, v and show v G [cr(<j))'| 
m riW,*/ ,_ _ir,1T 


8 | v G [cr(0)] J iff v G \fY vl . The latter holds, because v G [0] J for all I, u, including 
ry premise. The rule |USi| is the special case of lUSl where a only substitutes predicate 


□ 


4 Differential Dynamic Logic Axioms 


Proof rules and axioms for a Hilbert-type axiomatization of dC from prior work |j7) are shown in 
Fig.[2| except that, thanks to rule lUSl axioms and rules now comprise the finite list of d C formulas 
in Fig. [2] as opposed to an infinite collection of axioms from a finite list of axiom schemata along 
with schema variables, side conditions, and implicit instantiation rules. Soundness of the axioms 
in Fig. [2] follows from the soundness of corresponding axiom schemata [Q. but would be easier 
to prove standalone, because it is a finite list of formulas without the need to prove soundness 
for all their instantiations. The rules in Fig. [2] are axiomatic rules, i.e. pairs of concrete formulas 
instantiated bv lUSi Further, x is the vector of all relevant variables, which is finite-dimensional, or, 
in practice, considered as a built-in vectorial term. Proofs in the uniform substitution 6C calculus 
use lUSI fand bound renaming such as \/xp(;x) GG Vyp(y)) to instantiate the axioms from Fig. [5] 
to the required form. |CT|CQ|CE| are congruence rules, which are included for efficiency to use 
axioms in any context even if not needed for completeness. 


Real Quantifiers. Besides (decidable) real arithmetic (whose use is denotedEj), complete axioms 
for first-order logic can be adopted to express universal instantiation |Vjif p is true of all x it is also 
true of constant symbol /), distributivitv IV —A and vacuous quantification |Vy[predicate p of arity 
zero does not depend on x). 

(Vi) (Vxp(x))->p(f) 

(V—*) \/x (p(x) —> q(x)) -P- (Wxp(x) —» Wxq(x)) 

(Vv) p —> Vxp 


20 
























A. Platzer 


A Uniform Substitution Calculus for Differential Dynamic Logic 


/.\ 

(a)p(x) -H- -i[a]-«p(x) 

G 

p{x) 

\ / 

[a]p(x) 

H 

[x ■= f]p{x) O p(f) 

V 

p(x) 

[?] 

[7q}p O (q-tp) 

Vxp(x) 

p —>■ q p 

MP 

[u] 

[a U b\p[x) [a]p(x) A [6]p(x) 

q 

[;1 

[a; 6]p(x) [a] [6]p(x) 

CT 

f{x) = g{x ) 

L’J 

c(/(z)) = c(^(x)) 


[1 

[a*]p(x) -H- p(x) A [a][a*]p(x) 

CQ 

/(x) = p(x) 

K 

[a](p(x) ->• g(x)) ->• ([a]p(x) ->• [a}q(x)) 

p(/(^)) ++p(g(z)) 


CE 

p(x) <->■ q(x) 

I 

[a*](p(x) —)• [a]p(x)) —* (p(x) —)• [a*]p(x)) 

C(p(x)) C(q{x)) 

V 

p —> [a]p 

US 

0 



a(0) 


Figure 2: Differential dynamic logic axioms and proof rules 


The Significance of Clashes. This section illustrates how soundness-critical it is for lUSI to pro¬ 
duce substitution clashes by showing unsound naive proof attempts that IUS I prevents successfully. 
lUSI clashes for substitutions that introduce a free variable into a bound context. Even an occurrence 
of p{x) in a context where x is bound does not allow mentioning x in the replacement except in 
the • places: 



[x:=f]p(x) ++p(f) 

X + l]x + l 


a = {f ^x + 1 ,p(-) (• ^ x)} 


lUSI can directly handle even nontrivial binding structures, though, e.g. from 
tion <7 = {/ i—> x 2 ,p (•) (->• [(z := • + z)*;z : = • + yz\y > •}: 


with the substitu- 



x 2 ][(z := x+z)*-, z 


[x := f]p(x) ++ p(f ) _ 

x+yz]y>x [(z := x 2 +z)*]z := x 2 +yz]y>x 2 


Similarly from [:=] with {/ i->- x 2 ,p(-) [(y y + 1 U z • + z*); z • + yz\y > •}: 


lust 


_ [x ■■= f]p(x ) <->■ p(f) _ 

[x := x 2 ] [(y := y +1 U z := x+z*)\ z := x+yz\y>x O [(y := y+1 U z := x 2 +z*)\ z := x 2 +yz\y>x 2 


It is soundness-critical that IUSI clashes when trying to instantiate p in |Vy| with a formula that 
mentions the bound variable x: 


p —> Vxp 

letastii 1^ > Q _s. \/ x x > 0 


{p (-> X > 0} 
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It is soundness-critical that IUSI clashes when substituting p in vacuous program axiom [V] with a 
formula with a free occurrence of a variable bound by a: 


[dashj]- 


p —* [a]p 


{a i-> x := x — 1 ,p i—^ rc > 0} 


J x > 0 —>■ [x := x — l]x > 0 

Godel’s generalization rule |G] uses p(x) instead of p from[V] so allows the proof: 


(— x) 2 > 0 

m [x := x — 1](—x) 2 > 0 

Let x = (x, y), {o i— y x := x -f 1, 6 i —y x : = 0; y := 0 ,p(x) ^ x > ?/}. IUSI derives: 

* 

_ ^[q U b]p(x) [a]p{x) A [b\p(x) _ 

[x := x + 1 U (x := 0; y := 0)]x > y [x := x + l]x > 0 A [x := 0; y := 0]x > y 

With x = (x,y) and {a i-» x x + 1 U y 0, b (->■ y y + 1 ,p(x) ^ x > v) IUSI derives: 

* 

m _ ^MMx) ^ [a][6]p(x) _ 

[(x:=x + lUy:= 0); y := y + l]x > y [x := x + 1 U y := 0] [z/ := y + l]x > y 

Not all axioms fit to the uniform substitution framework. The Barcan axiom was used in a 
completeness proof for the Hilbert-type calculus for differential dynamic logic El (but not in the 
completeness proof for its sequent calculus ||5l): 


(B) Vx [a]p(x) —> [a]Vxp(x) (x ^ a) 

|B] is unsound without the restriction x ^ a, though, so that the following would be an unsound 
axiom: 

Vx [a\p(x) —>■ [a]Vxp(x) (1) 

because x ^ a cannot be enforced for program constants, since their effect might very well depend 
on the value of x or since they might write to x. In (Tj), x cannot be written by a without violating 
soundness: 


Vx [a]p(x) [a]Vxp(x) 

®Vx [x := 0]x > 0 —> [x := 0]Vxx > 0 


{a i-)- x := 0,p(-) !-)■•> 0} 


nor can x be read by a in (jlj) without violating soundness: 


Vx[a]p(x) —► [a]Vxp(x) 

gv— ------j {a = x ,p (• ^ y = • } 

vx [:r/ = x z \y = x z —>■ [ry = x^JVxy = x^ 

Thus, the completeness proof for differential dynamic logic from prior work 0 does not di¬ 
rectly carry over. A more general completeness result for differential game logic 0 implies, 
however, that[B]is unnecessary for completeness. 
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5 Differential Equations and Differential Axioms 

Section[4] leverages the first-order features of d£ and lUSI to obtain a finite list of axioms without 
side-conditions. They lack axioms for differential equations, though. Classical calculi for dC have 
axioms for replacing differential equations with a quantifier for time t > 0 and an assignment for 
their solutions x(t) [[51 [3. Besides being limited to simple differential equations, such axioms have 
the inherent side-condition “if x(t) is a solution of the differential equation x' = 0 with symbolic 
initial value x”. Such a side-condition is more difficult than occurrence and read/write conditions, 
but equally soundness-critical. This section leverages lUSI and the new differential forms in d£ to 
obtain a logically internalized version of differential invariants and related proof rules for differ¬ 
ential equations [|6l iU as axioms (without schema variables and free of side-conditions). These 
axioms can prove properties of more general “unsolvable” differential equations. They can also 
prove all properties of differential equations that can be proved with solutions ||8) while guarantee¬ 
ing correctness of the solution as part of the proof. 


5.1 Differentials: Invariants, Cuts, Effects, and Ghosts 

Figure [3] shows differential equation axioms for differential weakening (IDWI) . differential cuts 
(IDCl) , differential effect (IDEI) . differential invariants dDll) |f6l , differential ghosts (IDGI) 1181 , solutions 


(IDSI) . differential substitutions ([':= ), and differential axioms ( |-| / |-'|o , [ >- Axioms identifying 


x = 


x' for variables x e V and (/)' = 0 for functions / and number literals of arity 0 are used implicitly. 
Some axioms use reverse implications (0 <— 0) = (0 —> 0) for emphasis. 


DW [x' = f(x) & q(x)\q(x) 

DC ([a/ = f(x)&:q(x)]p(x) <(->■ [x' = f(x)Szq(x) A r(x)]p(x)j A- [x' = f(x)Szq(x)\r(x) 
DE [x' = f{x) & q(x)]p(x, x') ^ [xf = f(x) & q(x)] [x' := f(x)]p(x, x') 

DI [x' = f{x) & q(x)]p(x) {q(x) —>■ p(x) A [x' = f(x) & q(x)}{p(x)y) 

DG [x 1 = f{x ) & qix))pix) fA 3 y \x' = fix),]/ = aix)y + bfa) & g(x)]p(x) 

DS [x' — f & qix)]pix) O Vf>0 ((V0<s<t g(x + fs)) —> [x := x + ft]pix)) 

[':=] W ■= f}pW) ^ Pif) 

+' ifix) + gix))' = ifix)y + igix)y 
■' (fix) ■ gix))' = ifix))' ■ gix) + fix) ■ igix))' 

O' Iv :=»(*)][</ := !]((/(»(*)))' = (/(»))' • (9(x)Y) 


Figure 3: Differential equation axioms and differential axioms 
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Differential weakening axiom IDWl internalizes that differential equations can never leave their 
evolution domain a(x). IDWI implie^] [x 1 = f(x) & q(x)]p(x) PP [x' = f(x) &q(x)\(q(x) —> p(x)) 
also called IDWl whose (right) assumption is best proved by ICfyielding premise q(x) —> p(x). 
The differential cut axiom iDCl is a cut for differential equations. It internalizes that differential 
equations staying in r(x ) stay in p(x) iff p(x) always holds after the differential equation that is 
restricted to the smaller evolution domain <sz q(x) A r(x). IDCl is a differential variant of modal 
modus ponens iKl 

Differential effect axiom lDEl intemal i z es that the effect on differential symbols along a differen¬ 
tial equation is a differential assignment assigning the right-hand side f(x) to the left-hand side x'. 
Axiom IDIlinternalizes differential invariants, i.e. that a differential equation stays in p{x) if it starts 
in p(x) and if its differential {p{x) )' always holds after the differential equation x' = f(x) & q(x). 
The differential equation also vacuously stays in p{x) if it starts outside q(x), since it is stuck then. 
The (right) assumption of ED is best proved bv IDEI to select the appropriate vector field x' = f(x) 
for the differential i;p(x))' and a subsequent |DW|G| to make the evolution domain constraint q{x) 
available as an assumption. For simplicity, this paper focuses on atomic postconditions for which 
( 6 > r])' = (0 > ff)' = (6)' > (p)' and (9 = ■//)' = (9 ^ rj)' = ( 6)' = (p)', etc. Axiom EO inter¬ 
nalizes differential ghosts, i.e. that additional differential equations can be added if their solution 
exists long enough. Axiom iDSl solves differential equations with the help of |DG|DCl Vectorial 
generalizations to systems of differential equations are possible for the axioms in Fig. [3] 

The following proof proves a property of a differential equa tion using differential invariants 
without having to solve that dif ferential equation. One use of lUSl is shown explicitly, other uses of 


lUSI are similar for |DI|DE| 


instances. 



(f(x)-g(x))' = (f(x))'-g(x) + f(x)-(g(x))' 

* 

MSI 

(x-x)' = ( x)'-x + x-(x)' 

® x 3 -x + x-x 3 > 0 


(x-x)' = x'-x + x-x' 

L-i—fl [x 1 := x 3 ]x'-x + x-x' > 0 

Eop 

( x-x )' >0o x'-x + x-x' > 0 

^ [x' = x 3 ][x' :=x 3 ]x'-x + x-x' 

> 0 

( x-x > 1)' +y- x'-x + x-x' > 0 

IcEl 

W = 

x 3 ][x' := x 3 ]{x-x > 1)' 

IdeI 

foil - 

W = 

x 3 ](x-x > 1)' 


Previous calculi [j6l|8] collapse this proof into a single proof step with complicated built-in operator 
implementations that silently perform the same reasoning in an opaque way. The approach pre¬ 
sented here combines separate axioms to achieve the same effect in a modular way, because they 
have individual responsibilities internalizing separate logical reasoning principles in differential- 
form d£. Tacti cs co mbining the axioms as indicated make the axiomatic way equally convenient. 
Clever cuts or IMPI enable proofs in which the main ar gume nt rema ins a s fast (6l [8] while the 
additional premises subsequently check soundness. Both |CQ| and also ICEI simplify the proof sub¬ 
stantially but are not necessary: 

3 [a/ = f(x) &zq(x)](q(x) —> p(x)) —> [x' = f(x) & q(x)]p(x) derives by [K] from IDWl The con¬ 

verse [x' = f(x) & q(x)]p(x) —y [x' = f(x) &,q{x)](q{x) —y p(x)) derives by [K] since [G] derives 
[x' = f(x) & q(x)} (p(x) -S> (q(x) p(x))). 
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□ 

lusb 


(f(x) ■ g(x)Y = (. f(x)Y ■ g(x) + f(x) ■ (, g(x)Y 


(x ■ xY = (x) 7 • x + x ■ (x) 7 


iMPt 


.. —► ((a: ■ xY > 0 o x' ■ x + x ■ x' > 0) 


(x ■ xY = x' ■ x + x ■ x' 


(x ■ x)' > 0 ++ x' ■ x + x ■ x' > 0 


El- 

m 

[x' := x 3 ]((x • x)' > 0 <->• x' ■ x + x ■ x' > 0) 

‘V 

:= x 3 ](x ■ x)' > 0 O \x' := x 3 ]x' • x + x ■ x' > 0 
* 

m x 3 ■ x + x ■ x 3 > 0 

use proof above f : ~^[x' := x 3 ]x / • x + x ■ x' > 0 

IMrl 

\x' := x 3 ](x • x)' > 0 

ED 

[x' = x 3 ] [x' := x 3 ] (x • x) 7 > 0 

IdeI 

[x 7 = x 3 ](x • x) 7 > 0 

IdTI 

x • x > 1 —>• [x 7 = x 3 ]x • x > 1 


The proof uses (implicit) cuts with equivalences predicting the outcome of the right branch, which 
is simple but inconvenient. A constructive direct proof uses a free function symbol j (x, x'), instead, 
which is ultimately instantiated by lUSI as in Theorem[l4| 

The same technique is help ful for invariant search, m which case a free predicate symbol p(x) 
is used and instantiated bv lUSI lazilv when the proof closes. 


IS 

EE 

ED 

IceI 

IdeI — 

inn— 


* 


* 


x 3 ■ x + x ■ x 3 > 0 

j(x,x 3 ) > 0 

l[x 7 := x 3 ]j(x, x') > 0 

[x' = x 3 ][x' \= x 3 ]j{x, x') > 0 


X ■ X > 1 —► 



■g{x)Y 

= {f{x)Y -g(x] 

1 + /( x) ■ ( g{x)Y 

lusr 

(x • x) 7 

= (xY 

■ X + X • 

(x) 7 


(x • x) 7 

= x' • ; 

X + X • x 7 



(x • x) 7 

= j(x, 

x 7 ) 


7 

x) 7 > 0 

o j(x 

, x 7 ) > 0 



(a: • x > 1)' o j(x,x') > 0 
= a; 3 ] [a;' := a: 3 ] (x • x > 1)' 

= x 3 ](x • x > 1)' 

[a/ = x 3 ]x ■ x > 1 


Proofs based entire ly on equivalences for solv ing d ifferential equations involve IDGI for intro¬ 
ducing a tim e variable. IDCI to cut the solutions in. IPWI to export the so lutio n to the postcondition, 
inverse IDCI to remove the evoluti on d omain constraints again, inverse IDGI to remove the original 
differential equations, and finally IDS] to solve the differential equation for time: 


* 

® 4> —>Vs>0 (xo + §s 2 + vqs > 0) 

—»Vs>0 ft := 0 + ls]xo + ft 2 + vq t > 0 

—> \t' = l]xp + %t 2 + vpt > 0_ 

—> \v' = a,t r = l]xo + ft 2 + vot > 0 
► [x' =v,v' = a, t' = l]x 0 + 1 1 2 + v 0 t > 0 
—> \x' = v, v' = a,t' = 1 & v = vq + atjxo + § t 2 + Vq t > 0 

—> [x' = v, v' = a,t' = 1 & v = Vo + at A x = x 0 + § 1 2 + v 0 t]x 0 + 1 1 2 + v 0 t > 0 

—>[x' = v,v' = a,t' = l&zv = vo + atAx = Xo + ft 2 + vot](x=xo+%t 2 +vot —> x>0) 

—> [x 7 = v, v' = a,t' = 1 & v = vq + at A x = Xq + § 1 2 + vot]x > 0 

—> [x 7 = v, v' = a, t' = 1 & v = vq + at\x > 0 

—y [x' = v, v' = a, t' = l]x > 0 
</> — >3t [x 7 = v, v' = a , 7 = l]x > 0 

—> \x l = v, v' = a}x > 0 
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where © is a > 0 A v = v 0 > 0 A x = ,x 0 > 0. The existential quantifier for t is inst antia ted by 0, 
leading to [t := 0] (suppressed in the proof for readability reasons). The 4 uses of IDCI lead to 2 
additional premises proving that v = v 0 + at and then x = x 0 + ft 2 + v 0 t are differential invariants 
(using |DT|DE|DW| ). Shortcuts using IDWl are possible but the above proof generalize to () because 
it is an equivalence proof. The additional premise for lDCI with v = vq + at proves as follows: 


* 


* 


m — 


a = 0 + a ■ 1 


IcET 




BT 

iDEt 


[HD 


^(/U) + g{x)Y = (f{x)Y + (g{x)y 

m (Vo + at)' = (Vo y + (at? 

_ ^ (vq + at y = 0 + a{t') _ 

_ = (u 0 + at)' -0- v' = 0 + at! 

l]t/ = 0 + at' (v = vq + at)' ©)• v' = 0 + at' 

[v' := a\[t' := l](i> = vq + at)' 

[: x 1 = v,v' = a , t' = 1] [v' := a] [t 1 := 1] (v = vq + at)' 
[: x' = v,v' = a, t' = l](u = uo + at)' 

</) —> [x' = v, v' = a, t! = l]v = vq + at 


The additional premise for lDCI with x = x 0 + ft 2 + v 0 t proves as follows: 


HU 


Vq + at - 


- at • 1 + uq • 1 


[ • ]|n — 7)Q —V |> r 7 -?i][* 7 -1 — n++' 'Hq*' 


2 7j;tt' + VQt' = att' + V Q t' 

EE (xq + t |£ 2 + VQt)' = att' + v Q t' 

l£2l x' = (xq + ?jt 2 + VQt)' ■<-> x' = att' + v Q t' 

(x = XQ + + Vpt)' x' = att' + Vq t' 


v = vq -\- at [x' := v][t' := l](a; = xq + ^ t + VQt)' 


m- 

[dwT ~ 

roET - 


[x' = v, v' = a, t' = 1 Sz v = vq + at] (v = vq + at —> \x' := u] [t' : 


[x = v, v = a, t = 1 v = vq + at] \x := i>][t := 1] ( x = xq + ^ 


\x' = v, v' = a, t' = 1 8z v = vq at](a; = xq + %t z + vq t)' 


cf) —>[x' = v, v' = a, t' = \ v = vq at]x = xq + % t z + VQt 


= l]Qc = XQ + %t 2 + v 0 t)') 

-t* + v 0 ty 


5.2 Differential Substitution Lemmas 

The key insight for the soundness of ED is that the analytic time-derivative of the value of a term 
r/ along a differential equation x 1 = 0 Sz tp agrees with the values of its differential (V/)' along the 
vector field of that differential equation. 

Lemma 11 (Differential lemma). If I,<p\=x' = dAip holds for some flow tp : [0, r] —>• S of any 
duration r > 0, then for all 0 < C < r: 

[ M 1 V (0 = «*>(0 

Proof By chain rule f[T3l §3.10]: 

d| t (f) (C) = m‘ ° A(C) = (vw r )©(0) • /(C) = u a i^(v’(C))/(0W 

X 

where (V[-//] y )(</9(C)), the spatial gradient V[^] y at is the vector of (ip (C)) = . 

Chain rule and Def.[4]andDef.[6] thus, imply: 

KAlVK) = = E 5fc # £d il M (C) = ^(0 

X X 

□ 
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The key insight for the soundness of differential effects IDEI is that differential assignments 
mimicking the differential equation are vacuous along that differential equation. The differential 
substitution resulting from a subsequent use of [':=] is crucial to relay the values of the time- 


derivatives of the state variables x along a differential equation by way of their corresponding 
differential symbol x'. In combination, this makes it possible to soundly substitute the right-hand 
side of a differential equation for its left-hand side in a proof. 

Lemma 12 (Differential assignment). If I,ip\= x' = 9Aip for some flow p> : [0, r] —> S of any 
duration r > 0, then 

/, ip |= f EA [x' := 9\(J) 

Proof I,p> |= x' = 9 Aip implies <p(fl E \x' — 9 A ft} 1 , i.e. </?(£) (V) = [0]V(O and</?(C) E [V’f 
for all 0 <C<r. Consequently (<^(C)> <^(0) £ l x ' := does not change the state, so that f and 
[x' := 0]o are equivalent along ip. □ 

The final insights for differential invariant reasoning for differential equations are syntactic 
ways of computing differentials, which can be internalized as axioms d+ / |- / |o / | ), since differentials 
are syntactically represented in differential-form duC. 


Lemma 13 (Derivations). The following equations of differentials are valid: 


(/)' = o 

(x)' = x’ 

(0 + vY = (Of + ( V y 
(i9 • vY = ( 0 )' ■ v + o ■ {vY 
[y ■■= 0} W ■= i] ((/(0))' = (f(y)Y ■ (0)') 


for arity 0 functions/numbers f 

(2) 

for variables x E V 

(3) 


(4) 


(5) 

for y, y' 9 

(6) 


Proof The proof shows each equation separately. The first parts consider any constant function 
(i.e. arity 0) or number literal / for © and align the differential (x)' of a term that happens to be a 
variable x E V with its corresponding differential symbol x' E V for ©). The other cases exploit 
linearity for (|4]) and Leibniz properties of partial derivatives for ([5]). Case ([6]) exploits the chain 
rule and assignments and differential assignments for the fresh y, y' to mimic partial derivatives. 
Equation (|6]) generalizes to functions / of arity n > 1, in which case • is the (definable) Euclidean 
scalar product. 


nl 


V = 






dX 


H7 ynJ u y , r\d\ x \ Iu x ( ( ^ r , T 

P)1 V = ^u{y) — = u{x) av = v{ x )xv = v(x) = [x] 


dX 


ox 


x'Yv 


© 

0 


l{9 + r})'fv = 




z- ) dx 


^z/(x') 


v ox 


dx ) 
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u ( x ‘ 


n d l e Y"x , 


dX 


L , x ^ 

X 


La 

X 


dX 


[(9■ „)f, = Y.^') d{e 'S^ = 


X] "M 




= 77 Z' 


^zz(x') 


ax 

nLA 


dX 

+ 


A 3[0] cf , iron,/ \- , ndlilfu; 


La 

X 


dX 1 11 ^ y ' dX 

X X 

= Wfv ■ bfv + Mb ■ l(v)'}b = [( 0 )' • V + 6 ■ (v)’]b 


© 


© 


Proving that v <E [[y := 9] [y' := 1] ((f(9))' = ( f(y ))' • (6*)')] 1 requires showing that 

4 e} 4' e [(/(0))' = (/(?/))' • (6>)'l Jr ,i.e. l(f(9))'Y4 e} 4' = [( f(y))' • ( 0)'Y4 l?1 I'- Thisisequiv- 


y‘ 

alent to 


nl 


V = 


• py]V by Lemma 2|since z/ = Vy l Ul y , on {y,y'} 1 and 
y,y' ^ FV(0) by assumption, so y,y' qL FV((/(6 1 ))') and y\y ^ FV((6 ) ) / ). The latter equation 
proves using the chain rule and a fresh variable z when denoting [/] 1 = /(/): 


\/TlL 




[(/(«» r» = =E^ , ) d - M 4 


[v 


chain 


/ /N ^[/] 7 ft!ml 

2^ u b) 


dy 


djjf 

dy 

dl{f) ft/a I 

dy 


\ <9[0] J \ 

9 • -ar M 
,AM' 


\ \ A / /\ C 'U. (7 I / \ 


djjf 

dy 


v 


) • [(»)']' 


V 


') • 1(9)') 


nl 


V 


^(I»]V)l • [Wf v 

^(m'T 1 'T)^(T ,, ‘'1)-i m 1 * 


dz 

chain 9(1 (f ) ° [?/] ) , Ml 1 


dy 

(9\mY i 

1 dy 


ul 

'y ~ v 


v. 


'i/1 

y y' 


) • im 

mib 


nl 


= | *F V W) 




dy 


"i 

y y' 


imb 
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V ) . |(9)T 




= Mv))l\ 


niAofvi 


y y 


P 


dx 

nl 


IS 


V 


© 

□ 


5.3 Soundness 


Theorem 14 (Soundness). The d£ axioms and proof rules in Fig. [2] Jjjc/re sound, i.e. the axioms 
are valid formulas and the conclusion of a rule is valid if its premises are. All \US\ instances of the 
proof rules (with FV(a) = 0) are sound. 


Proof. The axioms (and most proof rules) in Fig. [2] are special instances of corresponding axiom 
schemata and proof rules for differential dynamic logic [0 and, thus, sound. All proof rules except 
lUSI are even locally sound , i.e. for all I: if all their premises <pj are valid in I (I \= of then their 
conclusion is, too (/ |= ip). Local soundness implies soundness. In addition, local soundness 
implies that IUSI can be used to soundly instantiate proof rules just like it soundly instantiates 
axioms (Thcorcm|T()|). If 


ip 


(7) 


is a locally sound proof rule then its substitution instance is locally sound: 


(X(01 


(?{(pr, 


a(ip) 


( 8 ) 


where a is any uniform substitution (for which the above results are defined, i.e. no clash) with 
FV(cr) = 0. To show this, consider any / in which all premises of © are valid, i.e. / |= a((pj) 
for all j. That is, v G |a(r) ? )] 1 for all v and all j. By Lemma 8} is G {^((pj)] 1 is equivalent to 
v G which, thus, also holds for all is and all j. By Corollary^ [p/P" 7 = for any 

lu, since FV(a) = 0. Consequently, all premises of © are valid in a*.I, i.e. cr*7 |= 0^ for all j. 


— ip by local soundness of (7). That is, is e 


is e 


at I 


by Corollary 6 for all is. 


is equivalent to is £ [cr(^>)] , which continues to hold for all is. Thus, 


Thus, cr* J 
By Lemma 

/ |= a (ip), i.e. the conclusion of © is valid in /, hence © locally sound. Consequently, all 
instances of the locally sound proof rules of d£ with FV(cr) = 0 are locally sound. Note that |V|MP 
can be augmented soundly to use p(x) instead of p(x) or p, respectively, such that the FV(cr) = 
requirement will be met during lUSl instances of all rules. 


IDWI Soundness of IDWI uses that differential equations can never leave their evolution domain 
by Def© To show v G [[x 7 = f(x) & q(x)]q(x)} 1 , consider any p of any duration r > 0 
solving I, p \= x' = f(x) A q(x). Then I, p |= q{x) hence p(r) G [g(x)] J . 
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IDCI Soundness of IDCI is a stronger version of soundness for the differential cut rule IDCI 
is a differential version of the modal modus ponens |K| The core is that if r(x) always 
holds after the differential equation and p(x) always holds after the differential equation 
x' = f(x) & q(x) Ar(x) that is restricted to r(x), then p(x) always holds after the differential 
equation a:' = f(x) Szq(x) without that additional restriction. Letz/ G [[x' = /(x) Sz q(x)]r(x)} 1 . 

Since all restrictions of solutions are solutions, this is equivalent to I,<p \= r(x) for all p of 
any duration solving I, p \= x' = f(x) A q(x) and starting in <^(0) = v on {x'} c . Conse¬ 
quently, for all p starting in 99 ( 0 ) = v on {x / } c : I, p \= x' = f(x) A q(x) is equivalent to 
/, p \= x' = /(x ) A q{x ) A r(x). Hence, v G [[x' = /(x ) & q(x) A r(x)]p(x)] 7 is equivalent 
to v G \[x’ — /(x) & q(x)]p(x)Y. 

IDEI Soundness of IDEI is genuine to differential-form d£ leveraging Lemma[l2| Consider any 
state v. Then v G \[x' = /(x) & q(x)]p(x, x')] 7 iff p{r) G [p(x,x')] 7 for all solutions p : 

[0, r] —y S of I, p |= x 1 = f(x) A q{x) of any duration r starting in <^(0) = v on {x'} c . That 
is equivalent to: for all p, if I, p |= x' — f(x) A q(x) then I, p \= p(x, x'). By Lemma[l2| 

I,p p(x, x') iff I, p |= [x' := f(x)]p(x, x'), so, that is equivalent to p(r) G \[x' := f(x)]p(x, x')} 1 

for all solutions p : [0, r] —> S of I, p |= x' — f(x) A q(x) of any duration r starting in 

99 ( 0 ) = v on {x'} c , which is, consequently, equivalent to v G {[x' = f(x) & q(x)] [x' := f(x)]p(x, x')] 7 . 

IDTI Soundness of|DT]has some relation to the soundness proof for differential invariants [j6], yet 

/ \ dcf , s 

is generalized to leverage differentials. The proof is only shown for p(x) = g(x) > 0, in 
which case {jp(x))' = ((g(x))' > 0). Consider a state v in which 

v G [q(x) —> (p(x) A [x' = /(x) &g(x)](p(x))'] 7 ). If v 0 [g(x)] 7 , there is nothing to show, 
because there is no solution of x' = f(x) & q(x) for any duration, so the consequence holds 
vacuously. Otherwise, v G [g(a:)] 7 implies v G [p(x) A [x' = f(x) &g(x)](p(x)) / ] 7 . To 
show that v G [[x ; = /(x) &g(x)]p(x)] 7 consider any solution p of any duration r > 0. 

The case r = 0 follows from v G [p(a:)] 7 by Lemma[3] since FV(p(x)) = {x} is disjoint 
from {x'}, which is changed by evolutions of any duration. That leaves the case r > 0. 

Let I,p |= x' = /(x) Szq(x), which, by v G [[x' = /(x) & Q'(x)](p(x)) / ] 7 , implies I, p |= (p(x))'. 
Since r > 0, Lemma lT| implies 0 < [(^(x))'] 7 ^!^) = d ^ /(J ^ — (C) f° r a ll C- Together with 
<^(0) G [p(a;)] 7 (by Lemma[3]and FV(p(x)) D {x'} = 0), i.e. 99 ( 0 ) G \g{x) > Oj 7 , this im¬ 
plies p(() G lfj(x) > Oj 7 for all (, including r, by the mean-value theorem since {(j(x )] 1 p(t) 
is continuous in t on [0, r] and differentiable on (0, r). 


IDG I Soundness of IDGI is a constructive variation of the soundness proof for differential auxil¬ 
iaries IH. Let v G [3 y [x' = f(x),y' = a{x)y + b(x) & g(x)]p(x)] 7 , that is, 
u x e \[ x> = f( x )> u' = a ( x )y + K x ) & q( x ))p( x )Y f° r some d. In order to show that 
v G |[x' = /(x) &g(x)]p(x)] 7 , consider any p : [0, r] — * S such that I, p |= x’ = /(x) A q{x) 
and 99 ( 0 ) = v on {x'} 1 ". By modifying the values of y, y’ along p, this function can be aug- 

(x) 

is 


mented to a solution p : [0, r] —y S such that I, p \= xf = /(x) Ay' = a(x)y + b(x) An 
and <^(0)(t/) = d. The assumption then implies p(r) G [p(a;)] 7 , which, by Lemmap 


equivalent to p(r) G [p(a:)] J since y,y' £ LV(p(x)) and p{r) = p(r) on {r/,r/'} C , which 
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implies v G [[a;' = f(x) & q{x)}p{x)\ I , since 93 was arbitrary. The construction of the mod¬ 
ification 93 of 99 on {y, y'} proceeds as follows. By Picard-Lindelof [fl 4 l §10.VII], there is a 
solution y : [0, r] —» M. of the initial-value problem 


r/(0) = d 


y'(t) = F{t,y(t)) = y{t)[a(x)f (p(t) + [ b{x)f <p(t) 


(9) 


because F(t, y) is continuous on [0, r] xK (since la(x)Yp{t) and {bix)Yp{t) are continuous 
in t as compositions of the, by Def. [4] smooth, evaluation function and the continuous solution 
93(f) of a differential equation) and because F(t, y) satisfies the Lipschitz condition 

\\F(t,y) - F(t,z)\\ = ||(2/-2)[a(x)]V(*)|| < \\y - z\\ max. [a(x)]VW 

te[0,r] 

where the maximum exists, because it is a maximum of a continuous function on the compact 
set [0, r]. The modification 93 agrees with 93 on {y,y'Y and is defined as <p(t)(y) = y(t) 
and <p(t)(y') = F(t,y(t )) = y'(t) on {y,y'}, respectively, for the solution y(t) of ([9]). 
By construction, 93 (C)) (y) = d and I,ip \= x' = f(x) Ay' = a(x)y + b(x) A q(x), because 
ip(t) = (p(t) on {y,y'Y so that x' = f(x)$zq(x) continues to hold along 93 by Lemma 2| 
because y, y' ^ FV(x' = f{x) & q(x)), and because y' = a{x)y + b{x) holds along (p by (j^jT 

Conversely, let v G [[a ; 7 = fix) kq{x))pix) J ; . This direction shows a stronger version of 
v G [3 y [x ' = fix),y' = aix)y + b(x) & q{x)]p{x)Y by showing that 
v* G [[a/ = fix),y' = rj & g(x)]p(x)]p for all d G M. and all terms 77 . Consider any 93 : 
[0, r] —* S such that /, p \= x' = fix) A y' — rj A q{x) with 93 ( 0 ) = Uy on {x 1 , y'Y. Then 
the restriction 93 \ {yy , }C of (p to {y,y'Y with 93 | { 2 / y } c(f) = v* on {y,y'} for all t G [0,r] 
still solves I,<p\{y >y '}C |= x' = fix) A q(x) by Lemma[2] since 93 = (p on {y, y'Y and 

y,y' ^FV(x' = f ix) k, qfx)). It also satisfies tp\ { 2 /> 2 / /}c( 0 ) = u y on {x'} c , because 93 ( 0 ) = u y 
on{x',y'Y yet ^| {2/y} c (£)(?/) = z£(s/')- Thus, by assumption, ^| {yy}C (r) G [p(x)f, which 
implies 93(7-) G |p(x )] 7 by Lemma 3 because (p = tp\i y>y nc on {y, y'Y and y, y’ qL FV(p(x)), 

IDS I Soundness of the solution axiom IDS I follows from existence and uniqueness of global so¬ 
lutions of constant differential equations. Consider any state v. There is a unique [ 14 , 
§ 10 . VII] global solution 93 : [ 0 , 00) —* S defined as 93(C) (x) = [a; + ftYY an d PiOix') = 
(c) — /(J) an d 92(C) = v on {x,x'} c . This solution satisfies 93(0) = i/(x) on {x'} c 
and /, 93 |= x’ — /, i.e. 93(C) G |x' = fY for all 0 < ( < r. All solutions of x' — f from 
initial state v are restrictions of 93 to subintervals of [ 0 , 00). The (unique) state c 0 that sat¬ 
isfies ivYoj) G \x := x + ftj 1 agrees with u = 93(C) on {a:'} 1 ", so that, by x' FV(p(x)), 
Lemma[ 3 ] implies that lu G [p(x)J 7 iff 93(C) G [p(x)] 7 . 

First consider axiom [x' = /]p(x) GG Vt>0 [x := x + ft]pix) for q{x) = true. If 
v G [[x 7 = f]pix)Y , then 93(C) G [p(x)] 7 for all C > 0 , because the restriction of 93 to 
[0, C) solves x’ — f from u, thus a; G {pix)f , which implies G [[x := x + ft]pix)Y, 


so v G [Vt>0 [x := x + ft]p(x)f as C > 0 was arbitrary. 
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Conversely, v £ [Vf>0 [x x + ft}p(x)Y implies e[[x := x + ft]p(x)Y for all ( > 0, 
i.e. ur £ [p(:r)] 7 when (z/j), oj) £ [x := x + ft} 1 . Lemmat 3 again implies 99(C) € |p(:r )] 7 for 
all C > 0, so v £ l[x' = f]p(x)Y, since all solutions are restrictions of 99. 

Soundness of IDS I now follows using that all solutions 99 : [0,r]_ —>• S of x' — f(x) hqfx) 
satisfy 99(C) £ {q(x)Y for all 0 <C< r, which, using Lcmmapl as above, is equivalent to 
v £ [V0<s<f q(x + fs)} 1 when v(t) = r. 


Jfollows from the semantics of differential assignments (Def.[ 6 ]) and com- 
In detail: x' := f changes the value of symbol x' to the value of /. The 


Soundness of 
positionality. 

predicate p has the same value for arguments x’ and / that have the same value. 


-1-VI Soundness of the derivation axioms [+ / | '|o / | follows from Lemma[l3| since they are special 
instances of ([4]) and (j5]) and ([ 6 ]), respectively. For fo 7 ] observe that y. 1 / f g(x). 


iGl Let the premise p{x) be valid in some /, i.e. I |= p(x), i.e. u £ [^(a :)] 7 for all u. Then, the 
conclusion \a\p(x) is valid in the same /, i.e. v £ [^^(x )] 7 for all v, because u £ [p(x )] 7 
for all ce, so also for all lu with (z/, c u) £ [a] 7 . Thus,|G]is locally sound. 


0 Let the premise p{x) be valid in some /, i.e. I |= p(x), i.e. co £ [p(a 9 )] J for all c 0 . Then, the 
conclusion Wxp(x) is valid in the same /, i.e. v £ [Vxp(a;)] / for all v, i.e. vf £ [p(x)J 7 for 
all d £R, because u £ [p(x)J 7 for all u, so in particular for all u = isf for any d £ M. Thus, 
|V]is locally sound. 


CQ| Let the premise f(x) = g{x) be valid in some /, i.e. I |= f{x) = g(x), i.e. v £ lf(x) = gfx)} 1 
for all z/, i.e. Ifix)} 1 ^ = ^(x)} 1 u for all u. Consequently, [/(x)] 7 z/ £ I(p ) iff ^(x)} 1 u £ 
I(p). So, I |= p(f(x)) ££ p(g(x)). Thus, |CQ] is locally sound. 


ICEI Let the premise p{x) ££ q{x) be valid in some /, i.e. I \= p{x) -H- q{x),\.z.v £ [p(x) ££ q(x)Y 
for all za Consequently, {p(x)] 1 = {q(x)] 1 . Thus, [C(p(x ))] 7 = I(C)(lp(x)Y) = I(C)({q(x)Y) 
lC(q(x))Y■ This implies I \= C(p(x)) ££ C(q(x)), hence the conclusion is valid in I. Thus, 
ICEI is locally sound. 


ICTI Rule lCTI is a (locally sound) derived rule and only included for comparison. ICTI is derivable 

^ d e f 

from |CQ| using p(-) = (c(-) = c(g(x))) and reflexivity of =. 

IMPI Modus ponens lMPl is locally sound with respect to the interpretation / and the state v , which 
implies local soundness and thus soundness. If v £ \p —> g ] 7 and v £ [p] 7 then v £ {q } 1 . 

IUSI Uniform substitution is sound by Theorem [ITU just not necessarily locally sound. 


□ 
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6 Conclusions 

With differential forms for local reasoning about differential equations, uniform substitutions lead 
to a simple and modular proof calculus for differential dynamic logic that is entirely based on 
axioms and axiomatic rules, instead of soundness-critical schema variables with side-conditions in 
axiom schemata. The lUSI calculus is straightforward to implement and enables flexible reasoning 
with axioms by contextual equivalence. Efficiency can be regained by tactics that combine multiple 
axioms and rebalance the proof to obtain short proof search branches. Contextual equivalence 
rewriting for implications is possible when adding monotone quantifiers C whose substitution 
instances limit _ to positive polarity. 
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A Appendix 

This appendix briefly discusses generalized uses and forms of the differential ghost axioms and 
how it generalizes the differential auxiliaries proof rule (SI. 

Differential Lipschitz Ghosts The differential ghost axiom IDGl generalizes to arbitrary Lipschitz- 
continuous differential equations y' = g(x, y): 

me i ^ X ' = & ^ x )^ x ) ** 3 y \- x ' = f( x )>y' = y ) & 

f <- 3£Vx,y,z\g(x,y) ~g(x,z)\ < l\y - z\ 

The soundness argument for |DG< | is an extension of the soundness proof for lDGI The direction ” 
of IDGl is sound for all differential equations. The proof for the direction *” extends the proof for 
IDG I with an adaptation of the function F from ([9]) to the differential equation y' = g(x. y): 

y( o) = d 

y'(t) = F(t,v(t)) = la(x,y)\ , ^t)f <10) 

This function F(t, 5) is still continuous on [0, r] x M since it is a composition of the continuous 
evaluation (of the, by assumption, continuous term g(x, y)) with the (continuous) composition of 
the continuous function (p(t) of t with the continuous modification of the value of variable y to 5. 
By assumption F(t, y) is Lipschitz in y, since there is an i e M such that for all t, a, b e M: 
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\F(t,a) - F(t,b )| = \{g{x,y)f p{t) a - \g{x,y)f ip{t) h \ = \ \g{x,y) - g{x,z)ftp(t) 


ab | 


= l\g{x,y) - g(x, z)\f p(t) ab < i\a — b\ 

s- - 

<t\\y-Ai I v{t)l b , 


This establishes the only two properties of F that the soundness proof of IDGI was based on. The 
existence of a solution y : [0, r] —» M. of ( [I()| ) is, thus, established again by Picard-Lindelof as 
needed for the soundness proof. 


Differential Auxiliaries Rule The differential auxiliaries proof rule [HI is derivable from IDGI 
and monotonicity [Ml 

A p(x) <+ 3yr(x,y) r(x,y)-*[x! = f{x),y' = g(x,y) fe q(x)]r(x,y) 

p(x)—y[x' = f(x) & q{x)]p{x) 

where y is new and ?/ = g{x, y),y(0 ) = ijo has a solution y : [0, oo) —» M n for each y 0 . 

The derivation proceeds as follows (the middle premise uses |Vj| with y (f- p(x)): 

3yr(x,y) ->p(x) 

El r{x,y)->p{x) r{x,y) -A [s' = f(x),y' = g{x,y) kq{x)]r(x,y) 

131 r(x,y) -+[x' = f(x),y' = g(x,y) &q(x)]p(x) 


m- 


r(x, y) -a3 y [x' = f(x),y' = g{x, y) & q{x)]p{x) 


p(x) 3 yr(x, y) 


et 


r(x,y ) —}[x' = f(x) & q{x)]p{x) 


3 yr(x,y) -a[x' = f(x) & q{x)]p{x) 


^ p(x) -^\x' = f(x) & q{x)\p{x) 

Using the following duals of[Vi1and |V | as well as monotonicity rule [MIS that derives from|GjKj 

(3i) p(f) (3 xp(x)) 

(V 3 ) 3xp—>p 

d> —> tb 

(M) 


[a](j) —> [a]-0 
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